Phoenix Consultants Group is a software development firm specializing in creating data-driven software applications and websites. Phoenix creates superior custom software products that deliver the tools necessary for business managers and owners to make informed decisions and manage their important data.

To learn more about the services we offer and our extensive client portfolio visit the tabs below.

Hi everyone,Looks like there has been a new crypto malware on the loose for the past 2 – 3 days. The malware is referred to by its author as “CryptoLocker”. Microsoft adopted the name Crilock. Sample is attached. Here are a few notes that I gathered so far. I am currently sick with the flu so take these information with a grain of salt:

Connection with the C&C server is established through either a hardcoded IP (184.164.136.134, which is down now) or if that fails through a domain generation algorithm located at 0x40FDD0 and seeded by GetSystemTime. At this time I found that xeogrhxquuubt.com and qaaepodedahnslq.org are both active and point to 173.246.105.23.

The communication channel uses POST to the /home/ directory of the C&C server. The data is encrypted using RSA. The public key can be found at offset 0x00010da0 inside the malware file.

On first contact the malware will send in an information string containing the malware version, the system language, as well as an id and a group id. In return it receives a RSA public key. In my case this has been:

The encryption used to encrypt files matching these masks is a mix of RSA and AES. Essentially the malware will generate a new AES 256 key for each file it is going to encrypt. The key is then used to encrypt the content of the file. The AES key itself is then encrypted using the public RSA key obtained from the server. The RSA encrypted blob is then stored together with the encrypted file content inside the encrypted file. As a result encrypted files are slightly larger than their originals. Last but not least the malware records the file it encrypted inside the HKCU\Software\CryptoLocker\Files key. Value names are the file paths where “\” has been replaced with “?”. I haven’t looked into the meaning of the DWORD value yet.

Feel free to add anything you find that I haven’t covered in my notes yet. At least from what I can tell so far, decryption without paying the ransom is not feasible.

This entry was posted on Thursday, October 3rd, 2013 at 8:32 am and is filed under Application Development.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.